<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Problem with Masquerading + cipe + iptables
From: "David Place" <dplace,AT,bigpond,DOT,net,DOT,au>
Date: Sun, 10 Feb 2002 01:38:24 +0100

It seams that with cipe 1.5.2 (and older version) Masquerading+cipe+iptables
does not work.
I've connected a VPN (Host C,D...) to the internet through a Firewall using
masquerading.
The Firewall is connected to the internet via a ppp link to my provider.
>From the Firewall (HostB) I've established a cipe connection through ppp0
to
Host A:

internet----(ppp0)-----Firewall (Host B)----(eth0)----VPN (Host C/D...)
Host A-----(cipcb0)--------|
   |
NetworkA

The goal is to enable ftp etc... between Host C/D and NetworkA.
my routing tables on Host B are as follow:
Destination     Gateway         Genmask        Iface
192.168.1.1     0.0.0.0         255.255.255.255 cipcb0
Host A             0.0.0.0         255.255.255.255  ppp0
Provider    0.0.0.0         255.255.255.255  ppp0
NetworkA    192.168.1.1     255.255.255.0   cipcb0
VPN           0.0.0.0         255.255.255.0    eth0
0.0.0.0         Provider    0.0.0.0  ppp0

if I use ipchains, everything works perfectly, I can ping from Host C/D any
computer in NetworkA. Here the ipchains rules I use:
/sbin/ipchains -A input -s NetworkA -d 0/0 -i cipcb0 -j ACCEPT
/sbin/ipchains -A output -s 0/0 -d NetworkA -i cipcb0 -j ACCEPT
/sbin/ipchains -A forward -s VPN -d VPN  -j ACCEPT    #don't masq internal
trafic
/sbin/ipchains -A forward -s Provider -d 0/0  -j ACCEPT
/sbin/ipchains -A forward -s VPN -d 0/0 -j MASQ   # masquerade through ppp0
/sbin/ipchains -A forward -i cipcb0 -s VPN -d NetworkA -j MASQ # masquerade
through cipcb0

If I use iptables with the following rules, when I ping from Host C/D a
computer in Network A, it seams that TCP/IP packet from HostC/D can reach
NetworkA but the reply from Network A never reach Host C/D. Here the
iptables rules I use:
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o cipcb0 -j MASQUERADE
$IPTABLES -A FORWARD -i cipcb0 -o eth0 -m state --state
ESTABLISHED,RELATED -j accept-and-log-it
$IPTABLES -A FORWARD -i eth0 -o cipce0 -j accept-and-log-it
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
accept-and-log-it
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j accept-and-log-it

Does anybody has any thoughts?

Thanks.

David.





<< | Thread Index | >> ]    [ << | Date Index | >> ]